CVE-2013-1922

Published: 15 April 2013

qemu-nbd in QEMU, as used in Xen 4.2.x, determines the format of a raw disk image based on the header, which allows local guest OS administrators to read arbitrary files on the host by modifying the header to identify a different format, which is used when the guest is restarted, a different vulnerability than CVE-2008-2004.

Notes

attack is: privileged attacker in the guest that uses a raw image
writes data to beginning of device. Later, someone on the host uses qemu-nbd
on the attacker-modified image. When the guest is rebooted, the attacker may
have access to other files.
On Ubuntu, the preferred virtualization management technology is
libvirt. As of USN-1008-1, libvirt does not probe the disk format, which
reduces this attack to a denial of server for the guest (ie, the
attacker-modified image is not usable on reboot).
TODO: review use in nova

patch just introduced new --format option. Default behaviour is
still to autodetect. Adding this new option doesn't fix the
issue by itself, so marking as "low"
We will not be fixing this issue in Ubuntu 12.04 LTS.

Status

References

• http://www.openwall.com/lists/oss-security/2013/04/15/3
• https://www.cve.org/CVERecord?id=CVE-2013-1922
• NVD
• Launchpad
• Debian

Bugs

• https://bugzilla.redhat.com/show_bug.cgi?id=923219
• http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=705544